A California man this month admitted he stole photos and videos from hundreds of strangers’ Apple iCloud accounts to find and trade images of nude young women online.
Prosecutors in Florida had charged [PDF] Hao Kuo Chi, 40, of Los Angeles County, who uses the first name David, with conspiracy and computer fraud.
Chi, using the online name “icloudripper4you,” worked with other unidentified miscreants to obtain files from Apple customers’ iCloud accounts by impersonating Apple customer support representatives in email messages.
Starting in September 2014 and continuing at least through May 2018, Chi obtained victims’ Apple IDs and passwords by posing as a support rep and used those credentials to scour their iCloud accounts for nude pictures and videos. He then shared those intimate files with others, with whom he communicated “using a foreign-based end-to-end encrypted email service to maintain anonymity,” prosecutors said.
In his agreement to plead guilty earlier this month [PDF], Chi said he obtained unauthorized access to at least 306 iCloud accounts for people in Arizona, California, Connecticut, Florida, Kentucky, Louisiana, Maine, Massachusetts, Ohio, Pennsylvania, South Carolina, and Texas.
“Chi and his conspirators sought out nude photographs and videos stored in victim iCloud accounts, which they referred to as ‘wins,’ and collected, shared, and traded ‘wins’ with one another,” the plea agreement stated.
When the Feds searched Chi’s home in La Puente, California, in May this year, “Chi admitted to hacking the iCloud accounts of approximately 200 victims at the request of individuals he met online,” the agreement continued.
The investigators discovered hundreds of thousands photos and videos taken from iCloud accounts. According to the Los Angeles Times, FBI agents found more than 500,000 emails in two Gmail accounts used for the scheme, with credentials for about 4,700 iCloud accounts. Chi’s Dropbox account, used to store and share pilfered files, is said to have contained some 620,000 photos and 9,000 videos.
Chi’s attorney did not immediately respond to a request for comment. Chi was charged with one count of conspiracy and three counts of unauthorized access to a protected computer, each of which carries a sentence of up to five years.
The case coincides with a controversial Apple child safety initiative through which the iGiant plans to scan iCloud-bound photos on iPhones and iPads to see if they match known child sexual abuse material (CSAM).
There’s been speculation that Apple undertook the unusual and unpopular step of using its customers’ own devices against them to allow the mega-corp to encrypt files in iCloud while still providing enough assurance to authorities that illegal CSAM is not being stored.
If it did so, Apple customers would be less susceptible to iCloud photo theft because those files would be encrypted. But in order for any such encryption to function effectively, iCloud customers (or Apple) would have to manage a separate decryption key, in addition to their Apple ID and password, to protect against social engineering attacks that dupe them into granting account access to attackers.
Apple, as expected, did not respond to a request for comment. ®